The request receiver defines the security
requirement of
the SOAP message. The security handler on the request receiver side
of the SOAP message enforces the security specifications that are
defined in the IBM® extension deployment descriptor (ibm-webservices-ext.xmi)
and bindings (ibm-webservices-bnd.xmi).
Important: There
is an important distinction between Version
5.x and Version 6 and later applications. The information in
this article supports Version 5.x applications only that are
used with WebSphere® Application Server Version 6.0.x and
later. The information does not apply to Version 6 and later applications.
The security constraint for request sender must match the security
requirement of the request receiver for the server to accept the request.
If the incoming SOAP message does not meet all the security requirements
defined, then the request is rejected with the appropriate fault code
returned to the sender. For security tokens, the token is validated
using Java Authentication and Authorization Service
(JAAS) login configuration and authenticated identity is set as the
identity for the downstream invocation.
For example, if there
is a security requirement to have the SOAP
body digitally signed by Joe Smith and if the SOAP body of the incoming
SOAP message is not signed by Joe Smith, then the request is rejected.
You can define the following security requirements for the request
receiver:
- Required integrity (digital signature)
- You can select multiple parts of a message to sign digitally.
The following list contains the integrity options:
- Body
- Time
stamp
- Security token
- Required
confidentiality (encryption)
- You can select multiple parts
of a message to encrypt. The following
list contains the confidentiality options:
You can have multiple security tokens. The following list
contains the security token options:
- Basic authentication,
which requires both a user name and a password
- Identity assertion,
which requires a user name only
- X.509 binary security token
- Lightweight Third Party Authentication (LTPA) binary security
token
- Custom token, which is pluggable and supports custom-defined
tokens
validated by the JAAS login configuration
- Received time stamp
- You can have a time stamp
for checking the timeliness of the message.